ForwardAuth with copy_headers leaves template code in header if auth backend doesn't set that header

[mbunkus]

Caddy 2.8.4

Using Caddy with Authelia, I have Authelia configured to only do 2FA with certain URIs & to completely bypass certain other URIs. For those URIs that completely bypass authentication Authelia cannot & does not set a Remote-User header.

Unfortunately Caddy doesn't like that very much. With a simple configuration snippet such as

https://… {
	forward_auth https://authelia-server:8000 {
		uri /api/authz/forward-auth
		copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
	}
	reverse_proxy https://…
}

what happens is that Caddy sets the Remove-User header correctly when Authelia sets the header, too. But when Authelia does not set the Remove-User header (or any of the others), what Caddy sends to the proxied server is actually the following:

Remote-User: {http.reverse_proxy.header.Remote-User}

Yes, it leaves the template code as-is in the headers it sends to the proxy server. Same for the any other header configured via copy_headers that isn't set by Authelia.

This means I'll have to include the bypassed URIs from Authelia's configuration in Caddy's configuration & only send requests for other URIs to Authelia, making this whole configuration much more complex & difficult to maintain.

[francislavoie]

I just opened https://github.com/caddyserver/caddy/pull/6608 yesterday to fix it 😂

[mbunkus]

That's very fortunate 😂 Thanks!

[francislavoie]

FWIW if you need an immediate workaround, you can check out the forum thread linked in the PR

[mbunkus]

Thanks, but it's not that urgent. I've added the bypassed URIs as a negative matcher & used that with for forward_auth. That suffices until a new release fixes the issue. I'd just rather I don't have to keep both locations in sync indefinitely, which I won't have to. Yay!